topic ASA and HTTP problem in Network Security

ASA and HTTP problem

bgp.ripe901 — Tue, 12 Mar 2019 09:15:08 GMT

Hi all !

I Use ASA:5520 failover cluster.

Cisco Adaptive Security Appliance Software Version 8.3(1)

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

This platform has an ASA 5520 VPN Plus license.

Inside Hosts : Unlimited perpetual

###

I observe a floating problem with the fact that HTTP resources may not be available from time to time:

config:

object network wifi-onyx-lap-access-point

subnet 10.0.130.0 255.255.255.0

object network wifi-onyx-lap-access-point

nat (inside,outside) dynamic 141.101.243.XXX

Log:

ru-msk-ai001# sh xlate | i 10.0.130.123

UDP PAT from inside:10.0.130.123/123 to outside:141.101.2X.XX/91 flags ri idle 0:00:03 timeout 0:00:30

TCP PAT from inside:10.0.130.123/57277 to outside:141.1XX.2X.XX/11663 flags ri idle 0:00:05 timeout 0:00:30

TCP PAT from inside:10.0.130.123/57276 to outside:141.101.2XX.1XX/38753 flags ri idle 0:00:05 timeout 0:00:30

###

ru-msk-ai001# sh conn | i 10.0.130.123

TCP outside 104.75.57.165:443 inside 10.0.130.123:57273, idle 0:00:37, bytes 8565, flags UIO

TCP outside 17.253.55.212:80 inside 10.0.130.123:57247, idle 0:06:24, bytes 1932, flags UFIO

UDP outside 17.253.54.253:123 inside 10.0.130.123:123, idle 0:00:31, bytes 96, flags -

UDP outside 17.253.54.125:123 inside 10.0.130.123:123, idle 0:00:31, bytes 96, flags -

###

Problem debug - HTTP traffic:

1: 18:21:20.706414 10.0.130.27.59812 > 178.62.9.171.80: S 755093679:755093679(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245478874 0,sackOK,eol>

2: 18:21:20.761160 178.62.9.171.80 > 10.0.130.27.59812: S 3475864375:3475864375(0) ack 755093680 win 28960 <mss 1380,sackOK,timestamp 3203506131 245478874,nop,wscale 8>

3: 18:21:20.763769 10.0.130.27.59812 > 178.62.9.171.80: . ack 3475864376 win 4104 <nop,nop,timestamp 245478934 3203506131>

7: 18:21:52.553621 178.62.9.171.80 > 10.0.130.27.59812: S 3475864375:3475864375(0) ack 755093680 win 28960 <mss 1380,sackOK,timestamp 3203514080 245478934,nop,wscale 8>

8: 18:22:23.513706 10.0.130.27.59820 > 213.180.204.62.80: S 579124212:579124212(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245541576 0,sackOK,eol>

9: 18:22:23.517597 213.180.204.62.80 > 10.0.130.27.59820: S 3379191765:3379191765(0) ack 579124213 win 27960 <mss 1380,sackOK,timestamp 2903065140 245541576,nop,wscale 8>

10: 18:22:23.520511 10.0.130.27.59820 > 213.180.204.62.80: . ack 3379191766 win 4104 <nop,nop,timestamp 245541581 2903065140>

11: 18:24:04.550203 10.0.130.27.59824 > 173.255.255.20.80: S 3982395340:3982395340(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245642524 0,sackOK,eol>

12: 18:24:04.748771 173.255.255.20.80 > 10.0.130.27.59824: S 1420396915:1420396915(0) ack 3982395341 win 28960 <mss 1380,sackOK,timestamp 133574852 245642524,nop,wscale 7>

13: 18:24:04.751212 10.0.130.27.59824 > 173.255.255.20.80: . ack 1420396916 win 4104 <nop,nop,timestamp 245642722 133574852>

14: 18:24:06.923215 10.0.130.27.59825 > 199.233.217.201.21: S 2362179665:2362179665(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245644892 0,sackOK,eol>

15: 18:24:07.127724 199.233.217.201.21 > 10.0.130.27.59825: S 3696146908:3696146908(0) ack 2362179666 win 4096 <mss 1380,nop,wscale 6,nop,nop,timestamp 1 245644892,sackOK,nop,nop>

16: 18:24:07.186834 10.0.130.27.59825 > 199.233.217.201.21: . ack 3696146909 win 4104 <nop,nop,timestamp 245645155 1>

17: 18:24:08.201146 199.233.217.201.21 > 10.0.130.27.59825: P 3696146909:3696146970(61) ack 2362179666 win 68 <nop,nop,timestamp 4 245645155>

18: 18:24:08.231234 10.0.130.27.59825 > 199.233.217.201.21: . ack 3696146970 win 4102 <nop,nop,timestamp 245646199 4>

19: 18:24:08.232898 10.0.130.27.59825 > 199.233.217.201.21: P 2362179666:2362179676(10) ack 3696146970 win 4102 <nop,nop,timestamp 245646200 4>

20: 18:24:08.440284 199.233.217.201.21 > 10.0.130.27.59825: P 3696146970:3696147019(49) ack 2362179676 win 68 <nop,nop,timestamp 4 245646200>

packet-tracer:

ru-msk-ai001# packet-tracer input inside tcp 10.0.130.27 59812 178.62.9.171 80$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x541b9a68, priority=1, domain=permit, deny=false
hits=51268251027, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 359980837, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Phase: 3
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.85.50 using egress ifc inside
adjacency Active
next-hop mac address 649e.f30d.6740 hits 529

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

###

ru-msk-ai001# show asp drop

Frame drop:
Flow is denied by configured rule (acl-drop) 12467
First TCP packet not SYN (tcp-not-syn) 19708
Bad TCP flags (bad-tcp-flags) 31
TCP failed 3 way handshake (tcp-3whs-failed) 215
TCP RST/FIN out of order (tcp-rstfin-ooo) 2544
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 12
TCP packet SEQ past window (tcp-seq-past-win) 72
TCP invalid ACK (tcp-invalid-ack) 276
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 5
TCP packet failed PAWS test (tcp-paws-fail) 9
Slowpath security checks failed (sp-security-failed) 392
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 12
DNS Inspect id not matched (inspect-dns-id-not-matched) 4
FP L2 rule drop (l2_acl) 1606

Last clearing: 12:52:33 MSK Apr 24 2017 by vadim

Flow drop:
Inspection failure (inspect-fail) 216

Your config looks

Rahul Govindan — Mon, 24 Apr 2017 11:26:22 GMT

Your config looks straightforward to me. When you say HTTP resources, do you mean you are not able to browse web pages when the issue happens? There could be many reasons and not necessarily the ASA at fault.To better troubleshoot this, you would have to collect captures on your inside and outside interface of the ASA when you start seeing this issue. This will help you see the entire floe of traffic and see if the ASA is dropping any packets. Also, you are running the first version of 8.3 i.e. 8.3(1). You might want to upgrade to one of the later supported codes to get past any bugs that you might be facing with the release.

See new capture Problem HTTP

bgp.ripe901 — Wed, 26 Apr 2017 10:20:31 GMT

See new capture Problem HTTP traffic :

Inside capture:

8: 12:16:28.576325 10.0.130.132.54736 > 213.180.204.62.80: SWE 2824034339:2824034339(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245317298 0,sackOK,eol>

9: 12:16:28.586853 213.180.204.62.80 > 10.0.130.132.54736: SE 2152717139:2152717139(0) ack 2824034340 win 27960 <mss 1380,sackOK,timestamp 884977026 245317298,nop,wscale 8>

10: 12:16:28.589431 10.0.130.132.54736 > 213.180.204.62.80: . ack 2152717140 win 4104 <nop,nop,timestamp 245317310 884977026>

###

20: 12:17:20.138634 213.180.204.62.80 > 10.0.130.132.54675: . ack 2267140545 win 110 <nop,nop,timestamp 731105536 245152491>

21: 12:17:20.167273 10.0.130.132.54675 > 213.180.204.62.80: R 2267140545:2267140545(0) win 0

22: 12:17:37.133614 213.180.204.62.80 > 10.0.130.132.54693: . ack 2119608774 win 110 <nop,nop,timestamp 1100386304 245169483>

23: 12:17:37.192967 10.0.130.132.54693 > 213.180.204.62.80: R 2119608774:2119608774(0) win 0

24: 12:17:48.752371 213.180.204.62.80 > 10.0.130.132.54695: . ack 2366314958 win 110 <nop,nop,timestamp 885214208 245180823>

25: 12:17:48.786473 10.0.130.132.54695 > 213.180.204.62.80: R 2366314958:2366314958(0) win 0

26: 12:18:01.782964 10.0.130.132.54739 > 213.180.204.62.80: S 2925360319:2925360319(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245410432 0,sackOK,eol>

27: 12:18:01.791554 213.180.204.62.80 > 10.0.130.132.54739: S 2997702397:2997702397(0) ack 2925360320 win 27960 <mss 1380,sackOK,timestamp 474265027 245410432,nop,wscale 8>

28: 12:18:01.794224 10.0.130.132.54739 > 213.180.204.62.80: . ack 2997702398 win 4104 <nop,nop,timestamp 245410446 474265027>

29: 12:18:10.443168 213.180.204.62.80 > 10.0.130.132.54703: . ack 2065444472 win 110 <nop,nop,timestamp 884879616 245202235>

30: 12:18:10.511829 10.0.130.132.54703 > 213.180.204.62.80: R 2065444472:2065444472(0) win 0

31: 12:18:43.000106 213.180.204.62.80 > 10.0.130.132.54705: . ack 3489438041 win 110 <nop,nop,timestamp 885001728 245235222>

32: 12:18:43.099878 10.0.130.132.54705 > 213.180.204.62.80: R 3489438041:3489438041(0) win 0

###

OUTSIDE capture:

109: 12:16:28.576508 802.1Q vlan#500 P0 141.101.243.186.19798 > 213.180.204.62.80: SWE 315774344:315774344(0) win 65535 <mss 1380,nop,wscale 5,nop,nop,timestamp 245317298 0,sackOK,eol>

110: 12:16:28.586822 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.19798: SE 1441464601:1441464601(0) ack 315774345 win 27960 <mss 1410,sackOK,timestamp 884977026 245317298,nop,wscale 8>

111: 12:16:28.589477 802.1Q vlan#500 P0 141.101.243.186.19798 > 213.180.204.62.80: . ack 1441464602 win 4104 <nop,nop,timestamp 245317310 884977026>

###

288: 12:17:20.138603 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.42911: . ack 3970837092 win 110 <nop,nop,timestamp 731105536 245152491>

289: 12:17:20.167303 802.1Q vlan#500 P0 141.101.243.186.42911 > 213.180.204.62.80: R 3970837092:3970837092(0) win 0

290: 12:17:37.133583 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.21209: . ack 4081145712 win 110 <nop,nop,timestamp 1100386304 245169483>

291: 12:17:37.192998 802.1Q vlan#500 P0 141.101.243.186.21209 > 213.180.204.62.80: R 4081145712:4081145712(0) win 0

310: 12:17:48.752356 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.40839: . ack 2372938204 win 110 <nop,nop,timestamp 885214208 245180823>

311: 12:17:48.786504 802.1Q vlan#500 P0 141.101.243.186.40839 > 213.180.204.62.80: R 2372938204:2372938204(0) win 0